Bug#777040: unblock: libhtp/0.5.16-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libhtp
(explain the reason for the unblock here)
Dear release team,
We were contacted privately regarding this release of libhtp/suricata
which include important security updates (no CVE asigned thought).
We considered backporting just the important patches, but the changelog is
rather small and we decided to package the new version directly.
Before we upload 0.5.16-1 to unstable we would like to make sure that this is OK for you.
This is the debdiff, which was generated using this cmdline:
debdiff --diffstat libhtp_0.5.15-1.dsc libhtp_0.5.16-1.dsc | filterdiff -i '*.[ch]'
--- libhtp-0.5.15/htp/htp_config.c 2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_config.c 2015-01-27 07:08:27.000000000 +0100
@@ -559,6 +559,7 @@
htp_config_set_convert_lowercase(cfg, HTP_DECODER_URL_PATH, 1);
htp_config_set_utf8_convert_bestfit(cfg, HTP_DECODER_URL_PATH, 1);
htp_config_set_u_encoding_decode(cfg, HTP_DECODER_URL_PATH, 1);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
case HTP_SERVER_APACHE_2:
@@ -575,6 +576,7 @@
htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_url_encoding_invalid_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_IGNORE);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_400);
break;
case HTP_SERVER_IIS_5_1:
@@ -590,6 +592,7 @@
htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_IGNORE);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
case HTP_SERVER_IIS_6_0:
@@ -606,6 +609,7 @@
htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_u_encoding_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
case HTP_SERVER_IIS_7_0:
@@ -623,6 +627,7 @@
htp_config_set_url_encoding_invalid_handling(cfg, HTP_DECODER_URL_PATH, HTP_URL_DECODE_PRESERVE_PERCENT);
htp_config_set_url_encoding_invalid_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
htp_config_set_control_chars_unwanted(cfg, HTP_DECODER_URL_PATH, HTP_UNWANTED_400);
+ htp_config_set_requestline_leading_whitespace_unwanted(cfg, HTP_DECODER_DEFAULTS, HTP_UNWANTED_IGNORE);
break;
default:
@@ -883,3 +888,9 @@
}
}
}
+
+void htp_config_set_requestline_leading_whitespace_unwanted(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, enum htp_unwanted_t unwanted) {
+ if (ctx >= HTP_DECODER_CONTEXTS_MAX) return;
+
+ cfg->requestline_leading_whitespace_unwanted = unwanted;
+}
--- libhtp-0.5.15/htp/htp_connection_parser.c 2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_connection_parser.c 2015-01-27 07:08:27.000000000 +0100
@@ -49,8 +49,10 @@
htp_conn_close(connp->conn, timestamp);
// Update internal flags
- connp->in_status = HTP_STREAM_CLOSED;
- connp->out_status = HTP_STREAM_CLOSED;
+ if (connp->in_status != HTP_STREAM_ERROR)
+ connp->in_status = HTP_STREAM_CLOSED;
+ if (connp->out_status != HTP_STREAM_ERROR)
+ connp->out_status = HTP_STREAM_CLOSED;
// Call the parsers one last time, which will allow them
// to process the events that depend on stream closure
--- libhtp-0.5.15/htp/htp_request_generic.c 2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_request_generic.c 2015-01-27 07:08:27.000000000 +0100
@@ -251,6 +251,7 @@
unsigned char *data = bstr_ptr(tx->request_line);
size_t len = bstr_len(tx->request_line);
size_t pos = 0;
+ size_t mstart = 0;
if (nul_terminates) {
// The line ends with the first NUL byte.
@@ -266,13 +267,27 @@
pos = 0;
}
+ // skip past leading whitespace. IIS allows this
+ while ((pos < len) && htp_is_space(data[pos])) pos++;
+ if (pos) {
+ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Request line: leading whitespace");
+ mstart = pos;
+
+ if (connp->cfg->requestline_leading_whitespace_unwanted != HTP_UNWANTED_IGNORE) {
+ // reset mstart so that we copy the whitespace into the method
+ mstart = 0;
+ // set expected response code to this anomaly
+ tx->response_status_expected_number = connp->cfg->requestline_leading_whitespace_unwanted;
+ }
+ }
+
// The request method starts at the beginning of the
// line and ends with the first whitespace character.
while ((pos < len) && (!htp_is_space(data[pos]))) pos++;
// No, we don't care if the method is empty.
- tx->request_method = bstr_dup_mem(data, pos);
+ tx->request_method = bstr_dup_mem(data + mstart, pos - mstart);
if (tx->request_method == NULL) return HTP_ERROR;
#ifdef HTP_DEBUG
--- libhtp-0.5.15/htp/htp_transaction.c 2014-10-16 14:03:28.000000000 +0200
+++ libhtp-0.5.16/htp/htp_transaction.c 2015-01-27 07:08:27.000000000 +0100
@@ -792,6 +792,10 @@
switch (tx->response_content_encoding_processing) {
case HTP_COMPRESSION_GZIP:
case HTP_COMPRESSION_DEFLATE:
+ // In severe memory stress these could be NULL
+ if (tx->connp->out_decompressor == NULL || tx->connp->out_decompressor->decompress == NULL)
+ return HTP_ERROR;
+
// Send data buffer to the decompressor.
tx->connp->out_decompressor->decompress(tx->connp->out_decompressor, &d);
unblock libhtp/0.5.16-1
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: